500 million users at risk of compromise via unpatched WinRAR bug

A critical vulnerability has been found in the latest version of WinRAR, the popular file archiver and compressor utility for Windows, and can be exploited by remote attackers to compromise a machine on which the software is installed.

When is a flaw not a flaw? The WinRAR question
By Fahmida Y. Rashid InfoWorld | Sep 30, 2015
A researcher found remote code execution flaw in WinRAR, but the real question is why are you opening unknown RAR files

So the flaw is that the SFX archive (in the form of an .exe file) can include malicious HTML script? Well it's an executable - it could have anything wrong with it.

WinRAR are entirely correct that "patching" their software to disable the HTML feature when creating SFX archives won't change a thing. The HTML feature has legitimate purposes, and malicious authors can simply use older, "unpatched" versions of WinRAR to create malicious SFX archives. In fact they could create a malicious file without even using WinRAR and just dress it up to look like a valid SFX archive. What good will "patching" the WinRAR SFX creation software do?

Frankly I don't understand why people put any faith in SFX archives, outside of those used in legitimate software installers. I treat them as suspicious, and even if I trust the source will extract them myself using a 3rd party utility like 7-Zip (EMET, software policy, outgoing connections blocked).

Not really, the whole thing is back to front. The vulnerability has nothing to do with opening a .RAR file in WinRAR - it's about SFX archives (.EXE) created in WinRAR. Malicious authors can continue to make malicious .EXE files regardless of what WinRAR's response is.

Tech sites are parroting the line "500 million users at risk", purely based on the fact that there an estimated 500 million users of WinRAR. Frankly this is bizarre reasoning, and shows a lack of critical thought in tech writers.

Being a user of WinRAR doesn't significantly increase the risk of receiving a malicious SFX archive created from WinRAR.

Some of the supposed tech writers uncritically parroting the "500 million users at risk" line:

Click to expand...

It's quite ridiculous the reporting on this. This only applies to infected WinRAR SFX exe files, in which case, it doesn't matter what software is used to manage archives, as a SFX archive is completely self contained and does not use any external software. While WinRAR can be use to created malicious SFX files, you will not be infected by opening regular archive files.

Tech sites are parroting the line "500 million users at risk", purely based on the fact that there an estimated 500 million users of WinRAR. Frankly this is bizarre reasoning, and shows a lack of critical thought in tech writers.

Click to expand...

Yes, and if you have followed reporting on computer security over the years, this type of "reasoning" is nothing new, really.

Being a user of WinRAR doesn't significantly increase the risk of receiving a malicious SFX archive created from WinRAR.

Click to expand...

the article said:

Victims only have to open a booby-trapped file, which can be delivered easily via email, and the attack is executed successfully: the system is compromised.

Click to expand...

By this reasoning, we can write an article:

"1 Billion Users* at risk of compromise via MSWord"

This [ransomware] campaign is spreading using spam emails that come with a Microsoft Word document. As soon as you open the document, it executes and download this malicious ransomware on your computer.**

RJK3 said:
...Frankly I don't understand why people put any faith in SFX archives, outside of those used in legitimate software installers. I treat them as suspicious, and even if I trust the source will extract them myself using a 3rd party utility like 7-Zip (EMET, software policy, outgoing connections blocked).

From the article referenced in the original post...
"...Victims only have to open a booby-trapped file, which can be delivered easily via email, and the attack is executed successfully: the system is compromised..."
Hello, but ANY malicious EXE FILE is executable, and will product the same results. If I can get you to run a malicious exe of any kind, why would I want to go to the extra trouble of making it about WinRAR? Did the idea for this come from WinZip? I have no more concern for this than I do for ANY potentially malicious exe file.

Thanks busy Glad you were not too busy to take the time to post that link. Appreciate it.

Dunno what to think. Hard to believe that a Blog Post on Malwarebytes Official Security Blog would validate this exploit on a non fully updated Windows OS, unless he was using Windows XP. The original POC by Vulnerability Lab (whoever they are) was done on a Windows 7 OS. Yet WinRAR Labs claims the vulnerability was fixed for all Windows OS, except XP, in an November, 2014 Windows Update (MS14-064). [The author of the Malwarebytes Blog Post describes himself:"I’m a Microsoft MVP in consumer security and have been fighting malware for over a decade. My blog posts usually provide background information about malware, security and privacy." https://blog.malwarebytes.org/author/metallicamvp/